diff --git a/.gitignore b/.gitignore
index 9841e0daea..8195f14f24 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
+.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 43bc4bec68..2584b8cb49 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -71,6 +71,15 @@ There are different types of apps that can run on your Windows client devices. T
Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
+## Android™️ apps
+
+Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
+
+For more information, see:
+
+- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
+- [Windows Subsystem for Android developer information](/windows/android/wsa)
+
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml
index 3655fed6e5..4be6d524af 100644
--- a/windows/application-management/toc.yml
+++ b/windows/application-management/toc.yml
@@ -23,7 +23,7 @@ items:
href: manage-windows-mixed-reality.md
- name: Application Virtualization (App-V)
items:
- - name: App-V for Windows 10 overview
+ - name: App-V for Windows overview
href: app-v/appv-for-windows.md
- name: Getting Started
items:
@@ -266,5 +266,5 @@ items:
href: per-user-services-in-windows.md
- name: Disabling System Services in Windows Server
href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
- - name: How to keep apps removed from Windows 10 from returning during an update
+ - name: How to keep apps removed from Windows from returning during an update
href: remove-provisioned-apps-during-update.md
\ No newline at end of file
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 42722f7bd7..5f2a7ff230 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
+The following shows the AccountManagement configuration service provider in tree format.
-The following diagram shows the AccountManagement configuration service provider in tree format.
-
-
+```console
+./Vendor/MSFT
+AccountManagement
+----UserProfileManagement
+--------EnableProfileManager
+--------DeletionPolicy
+--------StorageCapacityStartDeletion
+--------StorageCapacityStopDeletion
+--------ProfileInactivityThreshold
+```
**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 4c8f6eaecd..ac7cb56c39 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,36 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
-
+The following shows the EnterpriseAppVManagement configuration service provider in tree format.
+
+```console
+./Vendor/MSFT
+EnterpriseAppVManagement
+----AppVPackageManagement
+--------EnterpriseID
+------------PackageFamilyName
+---------------PackageFullName
+------------------Name
+------------------Version
+------------------Publisher
+------------------InstallLocation
+------------------InstallDate
+------------------Users
+------------------AppVPackageID
+------------------AppVVersionId
+------------------AppVPackageUri
+----AppVPublishing
+--------LastSync
+------------LastError
+------------LastErrorDescription
+------------SyncStatusDescription
+------------SyncProgress
+--------Sync
+------------PublishXML
+----AppVDynamicPolicy
+--------ConfigurationId
+------------Policy
+```
(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index a65935c948..5cdeeeac16 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
-The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
+The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@@ -236,7 +236,11 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
-The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
+The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
+
+- For Windows 10, use **oobe-desktop.css**
+- For Windows 11, use **oobe-light.css**
+
### Using themes
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index e07354fa81..7c66f6b36e 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -16,18 +16,18 @@ ms.date: 06/26/2017
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
+>[!Note]
+>BOOTSTRAP CSP is only supported in Windows 10 Mobile.
+>
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-> **Note** BOOTSTRAP CSP is only supported in Windows 10 Mobile.
->
->
->
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
+The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
-
-The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
-
+```console
+BOOTSTRAP
+----CONTEXT-ALLOW
+----PROVURL
+```
**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 15a939f7eb..bf703c3671 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
-The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
+The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
+```console
+BrowserFavorite
+favorite name
+----URL
+```
***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
@@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configuration
-parm-query |
+Parm-query |
Yes |
-noparm |
+Noparm |
Yes |
-nocharacteristic |
+Nocharacteristic |
Yes |
-characteristic-query |
+Characteristic-query |
Yes
Recursive query: Yes
Top-level query: Yes |
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index e493bf16e1..38f858db4d 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
-The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
+The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+```console
+./Vendor/MSFT
+CellularSettings
+----DataRoam
+```
**DataRoam**
Optional. Integer. Specifies the default roaming value. Valid values are:
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 44886adee0..37fa305bce 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
-The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
+The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+```console
+CM_CellularEntries
+----entryname
+--------AlwaysOn
+--------AuthType
+--------ConnectionType
+--------Desc.langid
+--------Enabled
+--------IpHeaderCompression
+--------Password
+--------SwCompression
+--------UserName
+--------UseRequiresMappingPolicy
+--------Version
+--------DevSpecificCellular
+-----------GPRSInfoAccessPointName
+--------Roaming
+--------OEMConnectionID
+--------ApnId
+--------IPType
+--------ExemptFromDisablePolicy
+--------ExemptFromRoaming
+--------TetheringNAI
+--------IdleDisconnectTimeout
+--------SimIccId
+--------PurposeGroups
+```
***entryname***
Defines the name of the connection.
@@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid
-gprs |
+Gprs |
Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE). |
-cdma |
+Cdma |
Used for CDMA type connections (1XRTT + EVDO). |
-lte |
+Lte |
Used for LTE type connections (eHRPD + LTE) when the device is registered HOME. |
-legacy |
+Legacy |
Used for GPRS + GSM + EDGE + UMTS connections. |
-lte_iwlan |
+Lte_iwlan |
Used for GPRS type connections that may be offloaded over WiFi |
-iwlan |
+Iwlan |
Used for connections that are implemented over WiFi offload only |
@@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration
-nocharacteristic |
+Nocharacteristic |
Yes |
-characteristic-query |
+Characteristic-query |
Yes |
-parm-query |
+Parm-query |
Yes |
diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md
new file mode 100644
index 0000000000..f1bee95c6a
--- /dev/null
+++ b/windows/client-management/mdm/config-lock.md
@@ -0,0 +1,133 @@
+---
+title: Secured-Core Configuration Lock
+description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
+manager: dansimp
+keywords: mdm,management,administrator,config lock
+ms.author: v-lsaldanha
+ms.topic: article
+ms.prod: w11
+ms.technology: windows
+author: lovina-saldanha
+ms.date: 10/07/2021
+---
+
+# Secured-Core PC Configuration Lock
+
+**Applies to**
+
+- Windows 11
+
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+
+Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+
+To summarize, Config Lock:
+
+- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Detects drift remediates within seconds
+- DOES NOT prevent malicious attacks
+
+## Configuration Flow
+
+After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+
+## System Requirements
+
+Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+## Enabling Config Lock using Microsoft Intune
+
+Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
+
+The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+
+1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. Select the following and press **Create**:
+ - **Platform**: Windows 10 and later
+ - **Profile type**: Templates
+ - **Template name**: Custom
+
+ :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
+
+1. Name your profile.
+1. When you reach the Configuration Settings step, select “Add” and add the following information:
+ - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
+ - **Data type**: Integer
+ - **Value**: 1
+ To turn off Config Lock. Change value to 0.
+
+ :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
+
+1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. You'll not need to set any applicability rules for test purposes.
+1. Review the Configuration and select “Create” if everything is correct.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+
+ :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
+
+ :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
+
+## Disabling
+
+Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
+
+## FAQ
+
+**Can an IT admins disable Config Lock ?**
+ Yes. IT admins can use MDM to turn off Config Lock.
+
+### List of locked policies
+
+|**CSPs** |
+|-----|
+|[BitLocker ](bitlocker-csp.md) |
+|[PassportForWork](passportforwork-csp.md) |
+|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
+|[ApplicationControl](applicationcontrol-csp.md)
+
+
+|**MDM policies** |
+|-----|
+|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) |
+|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) |
+|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) |
+|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) |
+|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) |
+|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
+|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
+|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
+|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
+|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
+|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d4793c91e6..78158a6a3f 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -43,12 +43,12 @@ Additional lists:
Mobile |
-  |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ No |
@@ -69,12 +69,12 @@ Additional lists:
Mobile |
- |
-  4 |
- 4 |
- 4 |
- 4 |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -95,12 +95,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -121,12 +121,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ No |
@@ -147,12 +147,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -173,12 +173,12 @@ Additional lists:
Mobile |
- | 6 |
- 6 |
- 6 |
- 6 |
- 6 |
- 6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
@@ -199,12 +199,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -225,12 +225,12 @@ Additional lists:
Mobile |
- |
- 3 |
- |
- |
- |
- |
+ No |
+ Yes3 |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -251,12 +251,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -277,12 +277,12 @@ Additional lists:
Mobile |
- |
- 5 |
- 2 |
- 2 |
- 2 |
- 2 |
+ No |
+ Yes5 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
@@ -303,12 +303,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ No |
@@ -329,12 +329,12 @@ Additional lists:
Mobile |
- | 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes |
@@ -356,12 +356,12 @@ Additional lists:
- |
- |
- |
- |
- |
- 1 |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes1 |
@@ -382,12 +382,12 @@ Additional lists:
Mobile |
- | 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes |
@@ -408,12 +408,12 @@ Additional lists:
Mobile |
- | 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes |
@@ -434,12 +434,12 @@ Additional lists:
Mobile |
- | 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes |
@@ -460,12 +460,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -486,12 +486,12 @@ Additional lists:
Mobile |
- |
- |
- 2 |
- 2 |
- 2 |
- |
+ No |
+ No |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ No |
@@ -512,12 +512,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -538,12 +538,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ No |
@@ -564,12 +564,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -590,12 +590,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -616,12 +616,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -642,12 +642,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -668,12 +668,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -694,12 +694,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ No |
@@ -720,12 +720,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -746,12 +746,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -772,12 +772,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -799,12 +799,12 @@ Additional lists:
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -825,12 +825,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -852,12 +852,12 @@ Additional lists:
- |
- |
- |
- 2 |
- 2 |
- 3 |
+ No |
+ No |
+ No |
+ Yes2 |
+ Yes2 |
+ Yes3 |
@@ -878,12 +878,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -904,12 +904,12 @@ Additional lists:
Mobile |
- | 6 |
- 6 |
- 6 |
- 6 |
- 6 |
- |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ Yes6 |
+ No |
@@ -930,12 +930,12 @@ Additional lists:
Mobile |
- | 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes |
@@ -956,12 +956,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -982,12 +982,12 @@ Additional lists:
Mobile |
- |
- |
- |
- 2 |
- 2 |
- |
+ No |
+ No |
+ No |
+ Yes2 |
+ Yes2 |
+ No |
@@ -1008,12 +1008,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1034,13 +1034,13 @@ Additional lists:
Mobile |
- |
+ | Yes
Only for mobile application management (MAM) |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1061,12 +1061,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -1087,12 +1087,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1113,12 +1113,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1139,12 +1139,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1165,12 +1165,12 @@ Additional lists:
Mobile |
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
+ No |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
@@ -1191,12 +1191,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- B |
+ No |
+ No |
+ No |
+ No |
+ No |
+ YesB |
@@ -1217,12 +1217,12 @@ Additional lists:
Mobile |
- |
- 3 |
- 3 |
- 3 |
- 3 |
- |
+ No |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ No |
@@ -1243,12 +1243,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1269,12 +1269,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1296,13 +1296,13 @@ Additional lists:
Mobile Enterprise |
- |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ No |
+ Yes |
+ Yes |
+ No |
+ No |
@@ -1322,12 +1322,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1348,12 +1348,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- 2 |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes2 |
@@ -1374,12 +1374,12 @@ Additional lists:
Mobile |
- | 4 |
- 4 |
- 4 |
- 4 |
- 4 |
- 4 |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1400,12 +1400,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1426,12 +1426,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1452,12 +1452,12 @@ Additional lists:
Mobile |
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
+ No |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
@@ -1478,12 +1478,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1504,12 +1504,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1530,12 +1530,12 @@ Additional lists:
Mobile |
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
+ No |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ Yes2 |
+ No |
@@ -1556,12 +1556,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1582,12 +1582,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1608,12 +1608,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1634,12 +1634,12 @@ Additional lists:
Mobile |
- |
- |
- |
- 2 |
- 2 |
- |
+ No |
+ No |
+ No |
+ Yes2 |
+ Yes2 |
+ No |
@@ -1660,12 +1660,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1686,12 +1686,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1712,12 +1712,12 @@ Additional lists:
Mobile |
- | B |
- B |
- B |
- B |
- B |
- B |
+ YesB |
+ YesB |
+ YesB |
+ YesB |
+ YesB |
+ YesB |
@@ -1738,12 +1738,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1764,12 +1764,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1790,12 +1790,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1816,12 +1816,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1842,12 +1842,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -1868,12 +1868,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1894,12 +1894,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1920,12 +1920,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1946,12 +1946,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -1972,12 +1972,12 @@ Additional lists:
Mobile |
- |
- 1 |
- 1 |
- 1 |
- 1 |
- |
+ No |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ No |
@@ -1998,12 +1998,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2024,12 +2024,12 @@ Additional lists:
Mobile |
- |
- 1 |
- 1 |
- 1 |
- 1 |
- |
+ No |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ No |
@@ -2050,12 +2050,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2103,12 +2103,12 @@ Additional lists:
Mobile |
- |
- 5 |
- 5 |
- 5 |
- 5 |
- |
+ No |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ No |
@@ -2129,12 +2129,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2155,12 +2155,12 @@ Additional lists:
Mobile |
- |
- |
- 4 |
- 4 |
- 4 |
- |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -2181,12 +2181,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ Yes |
+ Yes |
+ Yes |
+ No |
@@ -2207,12 +2207,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2233,12 +2233,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -2259,12 +2259,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2290,7 +2290,7 @@ Additional lists:
|
|
|
- |
+ Yes |
|
@@ -2312,12 +2312,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2338,12 +2338,12 @@ Additional lists:
Mobile |
- |
- 1 |
- 1 |
- 1 |
- 1 |
- |
+ No |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ No |
@@ -2364,12 +2364,12 @@ Additional lists:
Mobile |
- |
- 5 |
- 5 |
- 5 |
- 5 |
- |
+ No |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ No |
@@ -2390,12 +2390,12 @@ Additional lists:
Mobile |
- |
- 1 |
- 1 |
- 1 |
- 1 |
- |
+ No |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ Yes1 |
+ No |
@@ -2416,12 +2416,12 @@ Additional lists:
Mobile |
- |
- 3 |
- 3 |
- 3 |
- 3 |
- | >
+ No |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ Yes3 |
+ No | >
@@ -2443,12 +2443,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
+ Yes |
@@ -2469,12 +2469,12 @@ Additional lists:
Mobile |
- |
- |
- |
- |
- |
- |
+ No |
+ No |
+ No |
+ No |
+ No |
+ Yes |
@@ -2495,12 +2495,12 @@ Additional lists:
Mobile |
- |
- 5 |
- 5 |
- 5 |
- 5 |
- 5 |
+ No |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ Yes5 |
+ Yes5 |
@@ -2526,7 +2526,7 @@ Additional lists:
|
|
|
- |
+ Yes |
@@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
|------|--------|--------|--------|
-| [AccountManagement CSP](accountmanagement-csp.md) |  |  4 | 
-| [Accounts CSP](accounts-csp.md) |  |  |  |
-| [ApplicationControl CSP](applicationcontrol-csp.md) |  |  |  |
-| [AppLocker CSP](applocker-csp.md) |  |  |  |
-| [AssignedAccess CSP](assignedaccess-csp.md) |  |  4 |  |
-| [CertificateStore CSP](certificatestore-csp.md) |  | |  |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |  |
-| [DevDetail CSP](devdetail-csp.md) |  |  |  |
-| [DeveloperSetup CSP](developersetup-csp.md) |  |  2 (runtime provisioning via provisioning packages only; no MDM support)|  |
-| [DeviceManageability CSP](devicemanageability-csp.md) |  |  |  |
-| [DeviceStatus CSP](devicestatus-csp.md) |  |  |  |
-| [DevInfo CSP](devinfo-csp.md) |  |  |  |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
-| [DMAcc CSP](dmacc-csp.md) |  |  |  |
-| [DMClient CSP](dmclient-csp.md) |  |  |  |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
-| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
-| [NodeCache CSP](nodecache-csp.md) |  |  |  |
-[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
-| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
-| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
-| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
-| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
-| [Update CSP](update-csp.md) |  |  |  |
-| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
-| [WiFi CSP](wifi-csp.md) |  |  |  |
-| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |  |
+| [AccountManagement CSP](accountmanagement-csp.md) | No | Yes 4 | Yes
+| [Accounts CSP](accounts-csp.md) | Yes | Yes | Yes |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | No | No | Yes |
+| [AppLocker CSP](applocker-csp.md) | No | Yes | No |
+| [AssignedAccess CSP](assignedaccess-csp.md) | No | Yes 4 | Yes |
+| [CertificateStore CSP](certificatestore-csp.md) | Yes | Yes| Yes |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | No | Yes | Yes |
+| [DevDetail CSP](devdetail-csp.md) | Yes | Yes | Yes |
+| [DeveloperSetup CSP](developersetup-csp.md) | No | Yes 2 (runtime provisioning via provisioning packages only; no MDM support)| Yes |
+| [DeviceManageability CSP](devicemanageability-csp.md) | No | No | Yes |
+| [DeviceStatus CSP](devicestatus-csp.md) | No | Yes | Yes |
+| [DevInfo CSP](devinfo-csp.md) | Yes | Yes | Yes |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) | No | Yes | Yes |
+| [DMAcc CSP](dmacc-csp.md) | Yes | Yes | Yes |
+| [DMClient CSP](dmclient-csp.md) | Yes | Yes | Yes |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | No | No | Yes 10 |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | No | Yes | Yes |
+| [NetworkProxy CSP](networkproxy-csp.md) | No | No | Yes |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | No | No | Yes 8|
+| [NodeCache CSP](nodecache-csp.md) | Yes | Yes | Yes |
+[PassportForWork CSP](passportforwork-csp.md) | No | Yes | Yes |
+| [Policy CSP](policy-configuration-service-provider.md) | No | Yes | Yes |
+| [RemoteFind CSP](remotefind-csp.md) | No | Yes 4 | Yes |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | No | Yes 4 | Yes |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | No | Yes | Yes |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | No | No | Yes 10 |
+| [Update CSP](update-csp.md) | No | Yes | Yes |
+| [VPNv2 CSP](vpnv2-csp.md) | No | Yes | Yes |
+| [WiFi CSP](wifi-csp.md) | No | Yes | Yes |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Yes | Yes | No |
## CSPs supported in Microsoft Surface Hub
@@ -2649,17 +2649,3 @@ The following list shows the CSPs supported in HoloLens devices:
- Footnotes:
-- A - Only for mobile application management (MAM).
-- B - Provisioning only.
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
-- 9 - Added in Windows 10 Team 2020 Update
-- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
-
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 5337bb0cfd..d63708145e 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
-On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
+On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index bd80931f74..c4a5bf7384 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -138,9 +138,46 @@ Updates are configured using a combination of the [Update CSP](update-csp.md), a
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
-The following diagram shows the Update policies in a tree format.
+The following shows the Update policies in a tree format.
-
+```console
+./Vendor/MSFT
+Policy
+----Config
+--------Update
+-----------ActiveHoursEnd
+-----------ActiveHoursMaxRange
+-----------ActiveHoursStart
+-----------AllowAutoUpdate
+-----------AllowMUUpdateService
+-----------AllowNonMicrosoftSignedUpdate
+-----------AllowUpdateService
+-----------AutoRestartNotificationSchedule
+-----------AutoRestartRequiredNotificationDismissal
+-----------BranchReadinessLevel
+-----------DeferFeatureUpdatesPeriodInDays
+-----------DeferQualityUpdatesPeriodInDays
+-----------DeferUpdatePeriod
+-----------DeferUpgradePeriod
+-----------EngagedRestartDeadline
+-----------EngagedRestartSnoozeSchedule
+-----------EngagedRestartTransitionSchedule
+-----------ExcludeWUDriversInQualityUpdate
+-----------IgnoreMOAppDownloadLimit
+-----------IgnoreMOUpdateDownloadLimit
+-----------PauseDeferrals
+-----------PauseFeatureUpdates
+-----------PauseQualityUpdates
+-----------RequireDeferUpgrade
+-----------RequireUpdateApproval
+-----------ScheduleImminentRestartWarning
+-----------ScheduledInstallDay
+-----------ScheduledInstallTime
+-----------ScheduleRestartWarning
+-----------SetAutoRestartNotificationDisable
+-----------UpdateServiceUrl
+-----------UpdateServiceUrlAlternate
+```
**Update/ActiveHoursEnd**
> [!NOTE]
@@ -674,9 +711,38 @@ Example
### Update management
-The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
+The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
-
+```console
+./Vendor/MSFT
+Update
+----ApprovedUpdates
+--------Approved Update Guid
+------------ApprovedTime
+----FailedUpdates
+--------Failed Update Guid
+------------HResult
+------------Status
+------------RevisionNumber
+----InstalledUpdates
+--------Installed Update Guid
+------------RevisionNumber
+----InstallableUpdates
+--------Installable Update Guid
+------------Type
+------------RevisionNumber
+----PendingRebootUpdates
+--------Pending Reboot Update Guid
+------------InstalledTime
+------------RevisionNumber
+----LastSuccessfulScanTime
+----DeferUpgrade
+----Rollback
+--------QualityUpdate
+--------FeatureUpdate
+--------QualityUpdateStatus
+--------FeatureUpdateStatus
+```
**Update**
The root node.
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index 0db22bf159..a7852e16cc 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -24,9 +24,27 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
-The following diagram shows the DeviceInstanceService configuration service provider in tree format.
+The following shows the DeviceInstanceService configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+DeviceInstanceService
+------------Roaming
+------------PhoneNumber
+------------IMEI
+------------IMSI
+------------Identity
+---------------Identity1
+------------------Roaming
+------------------PhoneNumber
+------------------IMEI
+------------------IMSI
+---------------Identity2
+------------------PhoneNumber
+------------------IMEI
+------------------IMSI
+------------------Roaming
+```
**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
@@ -36,34 +54,34 @@ Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
**PhoneNumber**
-A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
+A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
**IMEI**
-A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
+A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
**IMSI**
-A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
+A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
**Identity**
-The parent node to group per SIM specific information in case of dual SIM mode.
+The parent node to group per SIM-specific information in dual SIM mode.
**Identity1**
-The parent node to group SIM1 specific information in case of dual SIM mode.
+The parent node to group SIM1 specific information in dual SIM mode.
**Identity2**
-The parent node to group SIM2 specific information in case of dual SIM mode.
+The parent node to group SIM2 specific information in dual SIM mode.
## Examples
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 9933e58a23..d415155769 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -30,9 +30,33 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
-The following image shows the DeviceLock configuration service provider in tree format.
+The following shows the DeviceLock configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+DeviceLock
+--------Provider
+----------ProviderID
+-------------DevicePasswordEnabled
+-------------AllowSimpleDevicePassword
+-------------MinDevicePasswordLength
+-------------AlphanumericDevicePasswordRequired
+-------------MaxDevicePasswordFailedAttempts
+-------------DevicePasswordExpiration
+-------------DevicePasswordHistory
+-------------MaxInactivityTimeDeviceLock
+-------------MinDevicePasswordComplexCharacters
+----------DeviceValue
+-------------DevicePasswordEnabled
+-------------AllowSimpleDevicePassword
+-------------MinDevicePasswordLength
+-------------AlphanumericDevicePasswordRequired
+-------------MaxDevicePasswordFailedAttempts
+-------------DevicePasswordExpiration
+-------------DevicePasswordHistory
+-------------MaxInactivityTimeDeviceLock
+-------------MinDevicePasswordComplexCharacters
+```
**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index b8ddb3ffeb..9480172d90 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format.
./Vendor/MSFT
DMClient
----Provider
---------
+--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@@ -45,6 +45,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
+------------ConfigLock
+----------------Lock
+----------------UnlockDuration
+----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@@ -598,6 +602,33 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
+**Provider/*ProviderID*/ConfigLock**
+
+Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
+
+Default = Locked
+
+> [!Note]
+>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+**Provider/*ProviderID*/ConfigLock/Lock**
+
+The supported values for this node are 0-unlock, 1-lock.
+
+Supported operations are Add, Delete, Get.
+
+**Provider/*ProviderID*/ConfigLock/UnlockDuration**
+
+The supported values for this node are 1 to 480 (in min).
+
+Supported operations are Add, Delete, Get.
+
+**Provider/*ProviderID*/ConfigLock/SecureCore**
+
+The supported values for this node are false or true.
+
+Supported operation is Get only.
+
**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index 8c5e138861..0f51e05177 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -39,9 +39,109 @@ Windows 10 lets you inventory all apps deployed to a user and all apps for all
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
-The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
+The following shows the EnterpriseModernAppManagement CSP in a tree format.
-
+```console
+./Device/Vendor/MSFT
+or
+./User/Vendor/MSFT
+EnterpriseAppManagement
+----AppManagement
+--------UpdateScan
+--------LastScanError
+--------AppInventoryResults
+--------AppInventoryQuery
+--------RemovePackage
+--------AppStore
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemovable
+----------ReleaseManagement
+------------ReleaseManagementKey
+--------------ChannelId
+--------------ReleaseId
+--------------EffectiveRelease
+-----------------ChannelId
+-----------------ReleaseId
+--------nonStore
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemoveable
+--------System
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemoveable
+----AppInstallation
+--------PackageFamilyName
+----------StoreInstall
+----------HostedInstall
+----------LastError
+----------LastErrorDesc
+----------Status
+----------ProgressStatus
+----AppLicenses
+--------StoreLicenses
+----------LicenseID
+------------LicenseCategory
+------------LicenseUsage
+------------RequesterID
+------------AddLicense
+------------GetLicenseFromStore
+```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 98249aad50..f5132cb038 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
-The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
+The following shows the EnterpriseAppManagement configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+EnterpriseAppManagement
+----EnterpriseID
+--------EnrollmentToken
+--------StoreProductID
+--------StoreUri
+--------CertificateSearchCriteria
+--------Status
+--------CRLCheck
+--------EnterpriseApps
+------------Inventory
+----------------ProductID
+--------------------Version
+--------------------Title
+--------------------Publisher
+--------------------InstallDate
+------------Download
+----------------ProductID
+--------------------Version
+--------------------Name
+--------------------URL
+--------------------Status
+--------------------LastError
+--------------------LastErrorDesc
+--------------------DownloadInstall
+```
***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 3df7b51be2..0b5579a5a6 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
-The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
+```console
+./Vendor/MSFT
+FileSystem
+----file name
+----file directory
+--------file name
+--------file directory
+```
**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index af7934b674..0672037cf9 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter
-The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
-
+```console
+./Vendor/MSFT
+HotSpot
+-------Enabled
+-------DedicatedConnections
+-------TetheringNAIConnection
+-------MaxUsers
+-------MaxBluetoothUsers
+-------MOHelpNumber
+-------MOInfoLink
+-------MOAppLink
+-------MOHelpMessage
+-------EntitlementRequired
+-------EntitlementDll
+-------EntitlementInterval
+-------PeerlessTimeout
+-------PublicConnectionTimeout
+```
**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
diff --git a/windows/client-management/mdm/images/configlock-mem-createprofile.png b/windows/client-management/mdm/images/configlock-mem-createprofile.png
new file mode 100644
index 0000000000..f43f6b7ddb
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-createprofile.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-dev.png b/windows/client-management/mdm/images/configlock-mem-dev.png
new file mode 100644
index 0000000000..3ce6cd456d
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-dev.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-devstatus.png b/windows/client-management/mdm/images/configlock-mem-devstatus.png
new file mode 100644
index 0000000000..2e78bf58e5
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-devstatus.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-editrow.png b/windows/client-management/mdm/images/configlock-mem-editrow.png
new file mode 100644
index 0000000000..18595f86dc
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-editrow.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
new file mode 100644
index 0000000000..1e315bc4b1
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ
diff --git a/windows/client-management/mdm/images/faq-max-devices.png b/windows/client-management/mdm/images/faq-max-devices.png
index bf101a0215..f2d177b92f 100644
Binary files a/windows/client-management/mdm/images/faq-max-devices.png and b/windows/client-management/mdm/images/faq-max-devices.png differ
diff --git a/windows/client-management/mdm/images/flow-configlock.png b/windows/client-management/mdm/images/flow-configlock.png
new file mode 100644
index 0000000000..4310537887
Binary files /dev/null and b/windows/client-management/mdm/images/flow-configlock.png differ
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index 69893ff362..1e87fad908 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
-The following diagram shows the Messaging configuration service provider in tree format.
+The following shows the Messaging configuration service provider in tree format.
-
+```console
+./User/Vendor/MSFT
+Messaging
+----AuditingLevel
+----Auditing
+--------Messages
+----------Count
+----------RevisionId
+----------Data
+```
**./User/Vendor/MSFT/Messaging**
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index ceacdde6dd..d1ada9afe6 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
-Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
+In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
Here is the corresponding registry key:
-Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
+HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@@ -80,19 +80,8 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
-- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
-- Standard users cannot enroll in MDM. Only admin users can enroll.
-- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
-
-## Enrollment migration
-
-**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
-
-Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
-
-To manually trigger enrollment migration, you can run MDMMaintenenceTask.
-
-**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
+- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
+- Standard users cannot enroll in MDM. Only admin users can enroll.
## Enrollment error messages
@@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
s: |
MessageFormat |
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
-Message format is bad |
+Invalid message from the Mobile Device Management (MDM) server. |
80180001 |
s: |
Authentication |
MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
-User not recognized |
+The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. |
80180002 |
s: |
Authorization |
MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
-User not allowed to enroll |
+The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. |
80180003 |
s: |
CertificateRequest |
-MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
-Failed to get certificate |
+MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR |
+The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. |
80180004 |
s: |
EnrollmentServer |
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
- |
+The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. |
80180005 |
a: |
InternalServiceFault |
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
-The server hit an unexpected issue |
+ There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. |
80180006 |
a: |
InvalidSecurity |
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
-Cannot parse the security header |
+The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. |
80180007 |
@@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
DeviceCapReached |
MENROLL_E_DEVICECAPREACHED |
-User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help. |
+The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. |
80180013 |
DeviceNotSupported |
MENROLL_E_DEVICENOTSUPPORTED |
-Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device. |
+The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. |
80180014 |
NotSupported |
-MENROLL_E_NOTSUPPORTED |
-Mobile device management generally not supported (would save an admin call) |
+MENROLL_E_NOT_SUPPORTED |
+Mobile Device Management (MDM) is generally not supported for this device. |
80180015 |
NotEligibleToRenew |
MENROLL_E_NOTELIGIBLETORENEW |
-Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling. |
+The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. |
80180016 |
InMaintenance |
MENROLL_E_INMAINTENANCE |
-Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved. |
+The Mobile Device Management (MDM) server states your account is in maintenance, try again later. |
80180017 |
UserLicense |
-MENROLL_E_USERLICENSE |
-License of user is in bad state and blocking the enrollment. The user needs to call the admin. |
+MENROLL_E_USER_LICENSE |
+There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. |
80180018 |
InvalidEnrollmentData |
MENROLL_E_ENROLLMENTDATAINVALID |
-The server rejected the enrollment data. The server may not be configured correctly. |
+The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. |
80180019 |
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 0b715c1a53..bf9a0bc281 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
-The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+```console
+NAPDEF
+----NAPAUTHINFO
+------AUTHNAME
+------AUTHSECRET
+------AUTHTYPE
+----BEARER
+----INTERNET
+----LOCAL-ADDR
+----LOCAL-ADDRTYPE
+----NAME
+----NAP-ADDRESS
+----NAP-ADDRTYPE
+----NAPID
+```
-The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+```console
+NAPDEF
+--NAPID
+----NAPAUTHINFO
+------AUTHNAME
+------AUTHSECRET
+------AUTHTYPE
+----BEARER
+----INTERNET
+----LOCAL-ADDR
+----LOCAL-ADDRTYPE
+----NAME
+----NAP-ADDRESS
+----NAP-ADDRTYPE
+```
**NAPAUTHINFO**
Defines a group of authentication settings.
@@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration
-parm-query |
+Parm-query |
Yes
Note that some GPRS parameters will not necessarily contain the exact same value as was set. |
-noparm |
+Noparm |
Yes |
-nocharacteristic |
+Nocharacteristic |
Yes |
-characteristic-query |
+Characteristic-query |
Yes |
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 272489e4a8..c21357f4a9 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1,6 +1,6 @@
---
title: What's new in MDM enrollment and management
-description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
+description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
MS-HAID:
- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
@@ -18,215 +18,24 @@ ms.date: 10/20/2020
# What's new in mobile device enrollment and management
-This article provides information about what's new in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
+This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
-For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
-## What’s new in MDM for Windows 10, version 20H2
+
+## What’s new in MDM for Windows 11, version 21H2
|New or updated article|Description|
|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 11, version 21H2:
- NewsAndInterests/AllowNewsAndInterests
- Experiences/ConfigureChatIcon
- Start/ConfigureStartPins
- Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
- Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
+| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node:
- Provider/ProviderID/ConfigLock/Lock
- Provider/ProviderID/ConfigLock/UnlockDuration
- Provider/ProviderID/ConfigLock/SecuredCore |
-## What’s new in MDM for Windows 10, version 2004
-
-| New or updated article | Description |
-|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
- [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
- [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
- [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
- [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
- [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004:
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004:
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
-| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
- Ext/Microsoft/DNSComputerName |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
- IsStub |
-| [SUPL CSP](supl-csp.md) | Added the following new node:
- FullVersion |
-
-## What’s new in MDM for Windows 10, version 1909
-
-| New or updated article | Description |
-|-----|-----|
-| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
- ConfigureRecoveryPasswordRotation
- RotateRecoveryPasswords
- RotateRecoveryPasswordsStatus
- RotateRecoveryPasswordsRequestID|
-
-## What’s new in MDM for Windows 10, version 1903
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
-| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
-| [Defender CSP](defender-csp.md) | Added the following new nodes:
- Health/TamperProtectionEnabled
- Health/IsVirtualMachine
- Configuration
- Configuration/TamperProtection
- Configuration/EnableFileHashComputation |
-| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
Added the new 1.4 version of the DDF.
Added the following new nodes:
- Policy
- Policy/Channels
- Policy/Channels/ChannelName
- Policy/Channels/ChannelName/MaximumFileSize
- Policy/Channels/ChannelName/SDDL
- Policy/Channels/ChannelName/ActionWhenFull
- Policy/Channels/ChannelName/Enabled
- DiagnosticArchive
- DiagnosticArchive/ArchiveDefinition
- DiagnosticArchive/ArchiveResults |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- SecurityKey
- SecurityKey/UseSecurityKeyForSignin |
-
-
-## What’s new in MDM for Windows 10, version 1809
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
- ApplicationManagement/LaunchAppAfterLogOn
- ApplicationManagement/ScheduleForceRestartForUpdateFailures
- Authentication/EnableFastFirstSignIn (Preview mode only)
- Authentication/EnableWebSignIn (Preview mode only)
- Authentication/PreferredAadTenantDomainName
- Browser/AllowFullScreenMode
- Browser/AllowPrelaunch
- Browser/AllowPrinting
- Browser/AllowSavingHistory
- Browser/AllowSideloadingOfExtensions
- Browser/AllowTabPreloading
- Browser/AllowWebContentOnNewTabPage
- Browser/ConfigureFavoritesBar
- Browser/ConfigureHomeButton
- Browser/ConfigureKioskMode
- Browser/ConfigureKioskResetAfterIdleTimeout
- Browser/ConfigureOpenMicrosoftEdgeWith
- Browser/ConfigureTelemetryForMicrosoft365Analytics
- Browser/PreventCertErrorOverrides
- Browser/SetHomeButtonURL
- Browser/SetNewTabPageURL
- Browser/UnlockHomeButton
- Defender/CheckForSignaturesBeforeRunningScan
- Defender/DisableCatchupFullScan
- Defender/DisableCatchupQuickScan
- Defender/EnableLowCPUPriority
- Defender/SignatureUpdateFallbackOrder
- Defender/SignatureUpdateFileSharesSources
- DeviceGuard/ConfigureSystemGuardLaunch
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- DeviceInstallation/PreventDeviceMetadataFromNetwork
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
- DmaGuard/DeviceEnumerationPolicy
- Experience/AllowClipboardHistory
- Experience/DoNotSyncBrowserSettings
- Experience/PreventUsersFromTurningOnBrowserSyncing
- Kerberos/UPNNameHints
- Privacy/AllowCrossDeviceClipboard
- Privacy/DisablePrivacyExperience
- Privacy/UploadUserActivities
- Security/RecoveryEnvironmentAuthentication
- System/AllowDeviceNameInDiagnosticData
- System/ConfigureMicrosoft365UploadEndpoint
- System/DisableDeviceDelete
- System/DisableDiagnosticDataViewer
- Storage/RemovableDiskDenyWriteAccess
- TaskManager/AllowEndTask
- Update/DisableWUfBSafeguards
- Update/EngagedRestartDeadlineForFeatureUpdates
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates
- Update/EngagedRestartTransitionScheduleForFeatureUpdates
- Update/SetDisablePauseUXAccess
- Update/SetDisableUXWUAccess
- WindowsDefenderSecurityCenter/DisableClearTpmButton
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
- WindowsLogon/DontDisplayNetworkSelectionUI |
-| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
-| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
-| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
-| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
-| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
-| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
-| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
-| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
-| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
-
-
-## What’s new in MDM for Windows 10, version 1803
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1803:
- ApplicationDefaults/EnableAppUriHandlers
- ApplicationManagement/MSIAllowUserControlOverInstall
- ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
- Bluetooth/AllowPromptedProximalConnections
- Browser/AllowConfigurationUpdateForBooksLibrary
- Browser/AlwaysEnableBooksLibrary
- Browser/EnableExtendedBooksTelemetry
- Browser/UseSharedFolderForBooks
- Connectivity/AllowPhonePCLinking
- DeliveryOptimization/DODelayBackgroundDownloadFromHttp
- DeliveryOptimization/DODelayForegroundDownloadFromHttp
- DeliveryOptimization/DOGroupIdSource
- DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
- DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
- DeliveryOptimization/DORestrictPeerSelectionBy
- DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
- DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
- Display/DisablePerProcessDpiForApps
- Display/EnablePerProcessDpi
- Display/EnablePerProcessDpiForApps
- Experience/AllowWindowsSpotlightOnSettings
- KioskBrowser/BlockedUrlExceptions
- KioskBrowser/BlockedUrls
- KioskBrowser/DefaultURL
- KioskBrowser/EnableEndSessionButton
- KioskBrowser/EnableHomeButton
- KioskBrowser/EnableNavigationButtons
- KioskBrowser/RestartOnIdleTime
- LanmanWorkstation/EnableInsecureGuestLogons
- LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
- LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
- LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
- LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
- LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
- LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
- LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
- LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
- LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
- Notifications/DisallowCloudNotification
- RestrictedGroups/ConfigureGroupMembership
- Search/AllowCortanaInAAD
- Search/DoNotUseWebResults
- Security/ConfigureWindowsPasswords
- Start/DisableContextMenus
- System/FeedbackHubAlwaysSaveDiagnosticsLocally
- SystemServices/ConfigureHomeGroupListenerServiceStartupMode
- SystemServices/ConfigureHomeGroupProviderServiceStartupMode
- SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
- SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
- SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
- SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
- TaskScheduler/EnableXboxGameSaveTask
- TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
- TextInput/ForceTouchKeyboardDockedState
- TextInput/TouchKeyboardDictationButtonAvailability
- TextInput/TouchKeyboardEmojiButtonAvailability
- TextInput/TouchKeyboardFullModeAvailability
- TextInput/TouchKeyboardHandwritingModeAvailability
- TextInput/TouchKeyboardNarrowModeAvailability
- TextInput/TouchKeyboardSplitModeAvailability
- TextInput/TouchKeyboardWideModeAvailability
- Update/ConfigureFeatureUpdateUninstallPeriod
- Update/TargetReleaseVersion
- UserRights/AccessCredentialManagerAsTrustedCaller
- UserRights/AccessFromNetwork
- UserRights/ActAsPartOfTheOperatingSystem
- UserRights/AllowLocalLogOn
- UserRights/BackupFilesAndDirectories
- UserRights/ChangeSystemTime
- UserRights/CreateGlobalObjects
- UserRights/CreatePageFile
- UserRights/CreatePermanentSharedObjects
- UserRights/CreateSymbolicLinks
- UserRights/CreateToken
- UserRights/DebugPrograms
- UserRights/DenyAccessFromNetwork
- UserRights/DenyLocalLogOn
- UserRights/DenyRemoteDesktopServicesLogOn
- UserRights/EnableDelegation
- UserRights/GenerateSecurityAudits
- UserRights/ImpersonateClient
- UserRights/IncreaseSchedulingPriority
- UserRights/LoadUnloadDeviceDrivers
- UserRights/LockMemory
- UserRights/ManageAuditingAndSecurityLog
- UserRights/ManageVolume
- UserRights/ModifyFirmwareEnvironment
- UserRights/ModifyObjectLabel
- UserRights/ProfileSingleProcess
- UserRights/RemoteShutdown
- UserRights/RestoreFilesAndDirectories
- UserRights/TakeOwnership
- WindowsDefenderSecurityCenter/DisableAccountProtectionUI
- WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
- WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
- WindowsDefenderSecurityCenter/HideSecureBoot
- WindowsDefenderSecurityCenter/HideTPMTroubleshooting
- Security/RequireDeviceEncryption - updated to show it is supported in desktop. |
-| [Accounts CSP](accounts-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [AccountManagement CSP](accountmanagement-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following nodes in Windows 10, version 1803:
- Status
- ShellLauncher
- StatusConfiguration
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. |
-| [BitLocker CSP](bitlocker-csp.md) | Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. |
-| [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) | Added the DDF download of Windows 10, version 1803 configuration service providers. |
-| [Defender CSP](defender-csp.md) | Added new node (OfflineScan) in Windows 10, version 1803. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following node in Windows 10, version 1803:
- OS/Mode |
-| [DMClient CSP](dmclient-csp.md) | Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
- AADSendDeviceToken
- BlockInStatusPage
- AllowCollectLogsButton
- CustomErrorText
- SkipDeviceStatusPage
- SkipUserStatusPage |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node in Windows 10, version 1803:
- MaintainProcessorArchitectureOnUpdate |
-| [eUICCs CSP](euiccs-csp.md) | Added the following node in Windows 10, version 1803:
- IsEnabled |
-| [MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) | MDM Migration Analysis Too (MMAT)
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. |
-| [MultiSIM CSP](multisim-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [NetworkProxy CSP](networkproxy-csp.md) | Added the following node in Windows 10, version 1803:
- ProxySettingsPerUser |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | Added the following node in Windows 10, version 1803:
- UntrustedCertificates |
-| [UEFI CSP](uefi-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [Update CSP](update-csp.md) | Added the following nodes in Windows 10, version 1803:
- Rollback
- Rollback/FeatureUpdate
- Rollback/QualityUpdateStatus
- Rollback/FeatureUpdateStatus |
-
-## What’s new in MDM for Windows 10, version 1709
-
-| New or updated article | Description |
-|-----|-----|
-| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. |
-| [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. |
-| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
[WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. |
-| [CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md) | In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. |
-| [VPNv2 CSP](vpnv2-csp.md) | Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following settings in Windows 10, version 1709:
- DeviceStatus/DomainName
- DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
- DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
- DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following setting in Windows 10, version 1709:
- Configuration
Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro. |
-| [DeviceManageability CSP](devicemanageability-csp.md) | Added the following settings in Windows 10, version 1709:
- Provider/_ProviderID_/ConfigInfo
- Provider/_ProviderID_/EnrollmentInfo |
-| [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709:
- Installation/CurrentStatus |
-| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. |
-| [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. |
-| [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) | Added new policies. |
-| Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. |
-| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](./mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](./mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs).|
-| [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709:
- Authentication/AllowAadPasswordReset
- Authentication/AllowFidoDeviceSignon
- Browser/LockdownFavorites
- Browser/ProvisionFavorites
- Cellular/LetAppsAccessCellularData
- Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
- Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
- Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
- CredentialProviders/DisableAutomaticReDeploymentCredentials
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/RequirePlatformSecurityFeatures
- DeviceGuard/LsaCfgFlags
- DeviceLock/MinimumPasswordAge
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
- Power/DisplayOffTimeoutOnBattery
- Power/DisplayOffTimeoutPluggedIn
- Power/HibernateTimeoutOnBattery
- Power/HibernateTimeoutPluggedIn
- Power/StandbyTimeoutOnBattery
- Power/StandbyTimeoutPluggedIn
- Privacy/EnableActivityFeed
- Privacy/PublishUserActivities
- Defender/AttackSurfaceReductionOnlyExclusions
- Defender/AttackSurfaceReductionRules
- Defender/CloudBlockLevel
- Defender/CloudExtendedTimeout
- Defender/ControlledFolderAccessAllowedApplications
- Defender/ControlledFolderAccessProtectedFolders
- Defender/EnableControlledFolderAccess
- Defender/EnableNetworkProtection
- Education/DefaultPrinterName
- Education/PreventAddingNewPrinters
- Education/PrinterNames
- Search/AllowCloudSearch
- Security/ClearTPMIfNotReady
- Settings/AllowOnlineTips
- Start/HidePeopleBar
- Storage/AllowDiskHealthModelUpdates
- System/DisableEnterpriseAuthProxy
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
- Update/DisableDualScan
- Update/ManagePreviewBuilds
- Update/ScheduledInstallEveryWeek
- Update/ScheduledInstallFirstWeek
- Update/ScheduledInstallFourthWeek
- Update/ScheduledInstallSecondWeek
- Update/ScheduledInstallThirdWeek
- WindowsDefenderSecurityCenter/CompanyName
- WindowsDefenderSecurityCenter/DisableAppBrowserUI
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications
- WindowsDefenderSecurityCenter/DisableFamilyUI
- WindowsDefenderSecurityCenter/DisableHealthUI
- WindowsDefenderSecurityCenter/DisableNetworkUI
- WindowsDefenderSecurityCenter/DisableNotifications
- WindowsDefenderSecurityCenter/DisableVirusUI
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
- WindowsDefenderSecurityCenter/Email
- WindowsDefenderSecurityCenter/EnableCustomizedToasts
- WindowsDefenderSecurityCenter/EnableInAppCustomization
- WindowsDefenderSecurityCenter/Phone
- WindowsDefenderSecurityCenter/URL
- WirelessDisplay/AllowMdnsAdvertisement
- WirelessDisplay/AllowMdnsDiscovery |
-
-
-## What’s new in MDM for Windows 10, version 1703
-
-| New or updated article | Description |
-|-----|-----|
-| [Update CSP](update-csp.md) | Added the following nodes:
- FailedUpdates/_Failed Update Guid_/RevisionNumber
- InstalledUpdates/_Installed Update Guid_/RevisionNumber
- PendingRebootUpdates/_Pending Reboot Update Guid_/RevisionNumber |
-| [CM_CellularEntries CSP](cm-cellularentries-csp.md) | To PurposeGroups setting, added the following values:
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 |
-| [CertificateStore CSP](certificatestore-csp.md) | Added the following setting:
- My/WSTEP/Renew/RetryAfterExpiryInterval |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | Added the following setting:
- SCEP/UniqueID/Install/AADKeyIdentifierList |
-| [DMAcc CSP](dmacc-csp.md) | Added the following setting:
- AccountUID/EXT/Microsoft/InitiateSession |
-| [DMClient CSP](dmclient-csp.md) | Added the following nodes and settings:
- HWDevID
- Provider/ProviderID/ManagementServerToUpgradeTo
- Provider/ProviderID/CustomEnrollmentCompletePage
- Provider/ProviderID/CustomEnrollmentCompletePage/Title
- Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
- Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
- Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText |
-| [CellularSettings CSP](cellularsettings-csp.md)
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
[EnterpriseAPN CSP](enterpriseapn-csp.md) | For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. |
-| [SecureAssessment CSP](secureassessment-csp.md) | Added the following settings:
- AllowTextSuggestions
- RequirePrinting |
-| [EnterpriseAPN CSP](enterpriseapn-csp.md) | Added the following setting:
- Roaming |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies:
- Accounts/AllowMicrosoftAccountSignInAssistant
- ApplicationDefaults/DefaultAssociationsConfiguration
- Browser/AllowAddressBarDropdown
- Browser/AllowFlashClickToRun
- Browser/AllowMicrosoftCompatibilityList
- Browser/AllowSearchEngineCustomization
- Browser/ClearBrowsingDataOnExit
- Browser/ConfigureAdditionalSearchEngines
- Browser/DisableLockdownOfStartPages
- Browser/PreventFirstRunPage
- Browser/PreventLiveTileDataCollection
- Browser/SetDefaultSearchEngine
- Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- Connectivity/AllowConnectedDevices
- DeliveryOptimization/DOAllowVPNPeerCaching
- DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
- DeliveryOptimization/DOMinDiskSizeAllowedToPeer
- DeliveryOptimization/DOMinFileSizeToCache
- DeliveryOptimization/DOMinRAMAllowedToPeer
- DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
- Display/TurnOffGdiDPIScalingForApps
- Display/TurnOnGdiDPIScalingForApps
- EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
- EnterpriseCloudPrint/CloudPrintOAuthAuthority
- EnterpriseCloudPrint/CloudPrintOAuthClientId
- EnterpriseCloudPrint/CloudPrintResourceId
- EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
- EnterpriseCloudPrint/MopriaDiscoveryResourceId
- Experience/AllowFindMyDevice
- Experience/AllowTailoredExperiencesWithDiagnosticData
- Experience/AllowWindowsSpotlightOnActionCenter
- Experience/AllowWindowsSpotlightWindowsWelcomeExperience
- Location/EnableLocation
- Messaging/AllowMMS
- Messaging/AllowRCS
- Privacy/LetAppsAccessTasks
- Privacy/LetAppsAccessTasks_ForceAllowTheseApps
- Privacy/LetAppsAccessTasks_ForceDenyTheseApps
- Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
- Privacy/LetAppsGetDiagnosticInfo
- Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
- Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
- Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
- Privacy/LetAppsRunInBackground
- Privacy/LetAppsRunInBackground_ForceAllowTheseApps
- Privacy/LetAppsRunInBackground_ForceDenyTheseApps
- Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
- Settings/ConfigureTaskbarCalendar
- Settings/PageVisibilityList
- SmartScreen/EnableAppInstallControl
- SmartScreen/EnableSmartScreenInShell
- SmartScreen/PreventOverrideForFilesInShell
- Start/AllowPinnedFolderDocuments
- Start/AllowPinnedFolderDownloads
- Start/AllowPinnedFolderFileExplorer
- Start/AllowPinnedFolderHomeGroup
- Start/AllowPinnedFolderMusic
- Start/AllowPinnedFolderNetwork
- Start/AllowPinnedFolderPersonalFolder
- Start/AllowPinnedFolderPictures
- Start/AllowPinnedFolderSettings
- Start/AllowPinnedFolderVideos
- Start/HideAppList
- Start/HideChangeAccountSettings
- Start/HideFrequentlyUsedApps
- Start/HideHibernate
- Start/HideLock
- Start/HidePowerButton
- Start/HideRecentJumplists
- Start/HideRecentlyAddedApps
- Start/HideRestart
- Start/HideShutDown
- Start/HideSignOut
- Start/HideSleep
- Start/HideSwitchAccount
- Start/HideUserTile
- Start/ImportEdgeAssets
- Start/NoPinningToTaskbar
- System/AllowFontProviders
- System/DisableOneDriveFileSync
- TextInput/AllowKeyboardTextSuggestions
- TimeLanguageSettings/AllowSet24HourClock
- Update/ActiveHoursMaxRange
- Update/AutoRestartDeadlinePeriodInDays
- Update/AutoRestartNotificationSchedule
- Update/AutoRestartRequiredNotificationDismissal
- Update/DetectionFrequency
- Update/EngagedRestartDeadline
- Update/EngagedRestartSnoozeSchedule
- Update/EngagedRestartTransitionSchedule
- Update/IgnoreMOAppDownloadLimit
- Update/IgnoreMOUpdateDownloadLimit
- Update/PauseFeatureUpdatesStartTime
- Update/PauseQualityUpdatesStartTime
- Update/SetAutoRestartNotificationDisable
- Update/SetEDURestart
- WiFi/AllowWiFiDirect
- WindowsLogon/HideFastUserSwitching
- WirelessDisplay/AllowProjectionFromPC
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure
- WirelessDisplay/AllowProjectionToPCOverInfrastructure
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
Removed TextInput/AllowLinguisticDataCollection
Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in IoT Enterprise
Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.
Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.
Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.
Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. |
-| [DevDetail CSP](devdetail-csp.md) | Added the following setting:
- DeviceHardwareData |
-| [CleanPC CSP](cleanpc-csp.md) | Added the new CSP. |
-| [DeveloperSetup CSP](developersetup-csp.md) | Added the new CSP. |
-| [NetworkProxy CSP](networkproxy-csp.md) | Added the new CSP. |
-| [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.
Added the following setting:
- AllowWarningForOtherDiskEncryption |
-| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
Added the following settings:
- RevokeOnMDMHandoff
- SMBAutoEncryptedFileExtensions |
-| [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. |
-| [Implement server-side support for mobile application management on Windows](./implement-server-side-mobile-application-management.md) | New mobile application management (MAM) support added in Windows 10, version 1703. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings:
- _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/EnablePinRecovery |
-| [Office CSP](office-csp.md) | Added the new CSP. |
-| [Personalization CSP](personalization-csp.md) | Added the new CSP. |
-| [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) | Added the new CSP. |
-| [HealthAttestation CSP](healthattestation-csp.md) | Added the following settings:
- HASEndpoint - added in Windows 10, version 1607, but not documented
- TpmReadyStatus - added in the March service release of Windows 10, version 1607 |
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following nodes and settings:
- InBoxApps/SkypeForBusiness
- InBoxApps/SkypeForBusiness/DomainName
- InBoxApps/Connect
- InBoxApps/Connect/AutoLaunch
- Properties/DefaultVolume
- Properties/ScreenTimeout
- Properties/SessionTimeout
- Properties/SleepTimeout
- Properties/AllowSessionResume
- Properties/AllowAutoProxyAuth
- Properties/DisableSigninSuggestions
- Properties/DoNotShowMyMeetingsAndFiles |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | Added the new CSP. |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following setting:
- ChangeProductKey |
-| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | Added the following setting:
- Configuration/TelemetryReportingFrequency |
-| [DMSessionActions CSP](dmsessionactions-csp.md) | Added the new CSP. |
-| [SharedPC CSP](dmsessionactions-csp.md) | Added new settings in Windows 10, version 1703:
- RestrictLocalStorage
- KioskModeAUMID
- KioskModeUserTileDisplayText
- InactiveThreshold
- MaxPageFileSizeMB
The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300. |
-| [RemoteLock CSP](remotelock-csp.md) | Added following setting:
- LockAndRecoverPIN |
-| [NodeCache CSP](nodecache-csp.md) | Added following settings:
- ChangedNodesData
- AutoSetExpectedValue |
-| [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. |
-| [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703:
- doWipeProtected |
-| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes and properties. |
-| [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md) | Added a section describing SyncML examples of various ADMX elements. |
-| [Win32 and Desktop Bridge app policy configuration](./win32-and-centennial-app-policy-configuration.md) | New article. |
-| [Deploy and configure App-V apps using MDM](./appv-deploy-and-config.md) | Added a new article describing how to deploy and configure App-V apps using MDM. |
-| [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607.
- MSI/UpgradeCode/[Guid] |
-| [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703.
- EnterpriseDataProtection/RetrieveByTimeRange/Type
- EnterpriseDataProtection/RetrieveByCount/Type |
-| [Connect your Windows 10-based device to work using a deep link](./mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership |
-| MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S.
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [Policy CSP](policy-configuration-service-provider.md) |
-| [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. |
-
-## What’s new in MDM for Windows 10, version 1607
-
-| New or updated article | Description |
-|-----|-----|
-| Sideloading of apps | Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices. |
-| [NodeCache CSP](nodecache-csp.md) | The value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache. |
-| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | New CSP. |
-| [Policy CSP](policy-configuration-service-provider.md) | Removed the following policies:
- DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy
- Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.
Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:
- Windows 10 Pro
- Windows 10 Enterprise
- Windows 10 Education
Added the following new policies:
- AboveLock/AllowCortanaAboveLock
- ApplicationManagement/DisableStoreOriginatedApps
- Authentication/AllowSecondaryAuthenticationDevice
- Bluetooth/AllowPrepairing
- Browser/AllowExtensions
- Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- Browser/ShowMessageWhenOpeningSitesInInternetExplorer
- DeliveryOptimization/DOAbsoluteMaxCacheSize
- DeliveryOptimization/DOMaxDownloadBandwidth
- DeliveryOptimization/DOMinBackgroundQoS
- DeliveryOptimization/DOModifyCacheDrive
- DeliveryOptimization/DOMonthlyUploadDataCap
- DeliveryOptimization/DOPercentageMaxDownloadBandwidth
- DeviceLock/EnforceLockScreenAndLogonImage
- DeviceLock/EnforceLockScreenProvider
- Defender/PUAProtection
- Experience/AllowThirdPartySuggestionsInWindowsSpotlight
- Experience/AllowWindowsSpotlight
- Experience/ConfigureWindowsSpotlightOnLockScreen
- Experience/DoNotShowFeedbackNotifications
- Licensing/AllowWindowsEntitlementActivation
- Licensing/DisallowKMSClientOnlineAVSValidation
- LockDown/AllowEdgeSwipe
- Maps/EnableOfflineMapsAutoUpdate
- Maps/AllowOfflineMapsDownloadOverMeteredConnection
- Messaging/AllowMessageSync
- NetworkIsolation/EnterpriseCloudResources
- NetworkIsolation/EnterpriseInternalProxyServers
- NetworkIsolation/EnterpriseIPRange
- NetworkIsolation/EnterpriseIPRangesAreAuthoritative
- NetworkIsolation/EnterpriseNetworkDomainNames
- NetworkIsolation/EnterpriseProxyServers
- NetworkIsolation/EnterpriseProxyServersAreAuthoritative
- NetworkIsolation/NeutralResources
- Notifications/DisallowNotificationMirroring
- Privacy/DisableAdvertisingId
- Privacy/LetAppsAccessAccountInfo
- Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
- Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
- Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
- Privacy/LetAppsAccessCalendar
- Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
- Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
- Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
- Privacy/LetAppsAccessCallHistory
- Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
- Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
- Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
- Privacy/LetAppsAccessCamera
- Privacy/LetAppsAccessCamera_ForceAllowTheseApps
- Privacy/LetAppsAccessCamera_ForceDenyTheseApps
- Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
- Privacy/LetAppsAccessContacts
- Privacy/LetAppsAccessContacts_ForceAllowTheseApps
- Privacy/LetAppsAccessContacts_ForceDenyTheseApps
- Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
- Privacy/LetAppsAccessEmail
- Privacy/LetAppsAccessEmail_ForceAllowTheseApps
- Privacy/LetAppsAccessEmail_ForceDenyTheseApps
- Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
- Privacy/LetAppsAccessLocation
- Privacy/LetAppsAccessLocation_ForceAllowTheseApps
- Privacy/LetAppsAccessLocation_ForceDenyTheseApps
- Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
- Privacy/LetAppsAccessMessaging
- Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
- Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
- Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
- Privacy/LetAppsAccessMicrophone
- Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
- Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
- Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
- Privacy/LetAppsAccessMotion
- Privacy/LetAppsAccessMotion_ForceAllowTheseApps
- Privacy/LetAppsAccessMotion_ForceDenyTheseApps
- Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
- Privacy/LetAppsAccessNotifications
- Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
- Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
- Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
- Privacy/LetAppsAccessPhone
- Privacy/LetAppsAccessPhone_ForceAllowTheseApps
- Privacy/LetAppsAccessPhone_ForceDenyTheseApps
- Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
- Privacy/LetAppsAccessRadios
- Privacy/LetAppsAccessRadios_ForceAllowTheseApps
- Privacy/LetAppsAccessRadios_ForceDenyTheseApps
- Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
- Privacy/LetAppsAccessTrustedDevices
- Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
- Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
- Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
- Privacy/LetAppsSyncWithDevices
- Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
- Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
- Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
- Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
- Settings/AllowEditDeviceName
- Speech/AllowSpeechModelUpdate
- System/TelemetryProxy
- Update/ActiveHoursStart
- Update/ActiveHoursEnd
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatesPeriodInDays
- Update/DeferQualityUpdatesPeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
- Update/SetProxyBehaviorForUpdateDetection
- Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
- WindowsInkWorkspace/AllowWindowsInkWorkspace
- WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
- WirelessDisplay/AllowProjectionToPC
- WirelessDisplay/RequirePinForPairing
Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.
Updated DeliveryOptimization/DODownloadMode to add new values.
Updated Experience/AllowCortana description to clarify what each supported value does.
Updated Security/AntiTheftMode description to clarify what each supported value does. |
-| [DMClient CSP](dmclient-csp.md) | Added the following settings:
- ManagementServerAddressList
- AADDeviceID
- EnrollmentType
- HWDevID
- CommercialID
Removed the EnrollmentID setting. |
-| [DeviceManageability CSP](devicemanageability-csp.md) | New CSP. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following new settings:
- DeviceStatus/TPM/SpecificationVersion
- DeviceStatus/OS/Edition
- DeviceStatus/Antivirus/SignatureStatus
- DeviceStatus/Antivirus/Status
- DeviceStatus/Antispyware/SignatureStatus
- DeviceStatus/Antispyware/Status
- DeviceStatus/Firewall/Status
- DeviceStatus/UAC/Status
- DeviceStatus/Battery/Status
- DeviceStatus/Battery/EstimatedChargeRemaining
- DeviceStatus/Battery/EstimatedRuntime |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples. |
-| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
Updated the DDF and XSD file sections. |
-| [SecureAssessment CSP](secureassessment-csp.md) | New CSP. |
-| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.3 of the CSP with two new settings.
Added the new 1.3 version of the DDF.
Added the following new settings in Windows 10, version 1607
- DeviceStateData
- DeviceStateData/MdmConfiguration |
-| [Reboot CSP](reboot-csp.md) | New CSP. |
-| [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) | New CSP. |
-| [VPNv2 CSP](vpnv2-csp.md) | Added the following settings for Windows 10, version 1607:
- _ProfileName_/RouteList/routeRowId/ExclusionRoute
- _ProfileName_/DomainNameInformationList/_dniRowId_/AutoTrigger
- _ProfileName_/DomainNameInformationList/dniRowId/Persistent
- _ProfileName_/ProfileXML
- _ProfileName_/DeviceCompliance/Enabled
- _ProfileName_/DeviceCompliance/Sso
- _ProfileName_/DeviceCompliance/Sso/Enabled
- _ProfileName_/DeviceCompliance/Sso/IssuerHash
- _ProfileName_/DeviceCompliance/Sso/Eku
- _ProfileName_/NativeProfile/CryptographySuite
- _ProfileName_/NativeProfile/CryptographySuite/AuthenticationTransformConstants
- _ProfileName_/NativeProfile/CryptographySuite/CipherTransformConstants
- _ProfileName_/NativeProfile/CryptographySuite/EncryptionMethod
- _ProfileName_/NativeProfile/CryptographySuite/IntegrityCheckMethod
- _ProfileName_/NativeProfile/CryptographySuite/DHGroup
- _ProfileName_/NativeProfile/CryptographySuite/PfsGroup
- _ProfileName_/NativeProfile/L2tpPsk |
-| [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. |
-| [SharedPC CSP](sharedpc-csp.md) | New CSP. |
-| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. |
-| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes for Windows 10, version 1607. |
-| [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".
Completely updated enrollment procedures and screenshots. |
-| [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
[UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607:
- NextSession/HORMEnabled |
-| [CertificateStore CSP](certificatestore-csp.md)
[CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607:
- My/WSTEP/Renew/LastRenewalAttemptTime
- My/WSTEP/Renew/RenewNow |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following new node and settings in Windows 10, version 1607, but not documented:
- Subscriptions
- Subscriptions/SubscriptionId
- Subscriptions/SubscriptionId/Status
- Subscriptions/SubscriptionId/Name |
-| [WiFi CSP](wifi-csp.md) | Deprecated the following node in Windows 10, version 1607:
- DisableInternetConnectivityChecks |
-
-## What’s new in MDM for Windows 10, version 1511
-
-| New or updated article | Description |
-|-----|-----|
-| New configuration service providers added in Windows 10, version 1511 | - [AllJoynManagement CSP](alljoynmanagement-csp.md)
- [Maps CSP](maps-csp.md)
- [Reporting CSP](reporting-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings:
- ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
- Bluetooth/ServicesAllowedList
- DataProtection/AllowAzureRMSForEDP
- DataProtection/RevokeOnUnenroll
- DeviceLock/DevicePasswordExpiration
- DeviceLock/DevicePasswordHistory
- TextInput/AllowInputPanel
- Update/PauseDeferrals
- Update/RequireDeferUpdate
- Update/RequireUpdateApproval
Updated the following policy settings:
- System/AllowLocation
- Update/RequireDeferUpgrade
Deprecated the following policy settings:
- TextInput/AllowKoreanExtendedHanja
- WiFi/AllowWiFiHotSpotReporting |
-| Management tool for the Microsoft Store for Business | New articles. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. |
-| Custom header for generic alert | The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format: `MDM-GenericAlert: `
If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). |
-| Alert message for slow client response | When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md). |
-| [DMClient CSP](dmclient-csp.md) | Added a new node EnableOmaDmKeepAliveMessage to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs. |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new nodes:
- AppManagement/GetInventoryQuery
- AppManagement/GetInventoryResults
- .../_PackageFamilyName_/AppSettingPolicy/_SettingValue_
- AppLicenses/StoreLicenses/_LicenseID_/LicenseCategory
- AppLicenses/StoreLicenses/_LicenseID_/LicenseUsage
- AppLicenses/StoreLicenses/_LicenseID_/RequesterID
- AppLicenses/StoreLicenses/_LicenseID_/GetLicenseFromStore |
-| [EnterpriseExt CSP](enterpriseext-csp.md) | Added the following new nodes:
- DeviceCustomData (CustomID, CustomeString)
- Brightness (Default, MaxAuto)
- LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount) |
-| [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) | Added the OemProfile node.
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- TenantId/Policies/PINComplexity/History
- TenantId/Policies/PINComplexity/Expiration
- TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
- Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
- Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT) |
-| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | The following updates are done to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md):
- In AssignedAccessXML node, added new page settings and quick action settings.
- In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
- Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) article. |
-| [DevDetail CSP](devdetail-csp.md) | The following updates are done to [DevDetail CSP](devdetail-csp.md):
- Added TotalStore and TotalRAM settings.
- Added support for Replace command for the DeviceName setting. |
-| Handling large objects | Added support for the client to handle uploading of large objects to the server. |
## Breaking changes and known issues
### Get command inside an atomic command is not supported
-In Windows 10, a Get command inside an atomic command is not supported. This was allowed in Windows Phone 8 and Windows Phone 8.1.
-
-### Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10
-
-During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret.
-
-After upgrading to Windows 10, you should call MDM\_WNSConfiguration class to recreate the notification channel URI.
+In Windows 10 and Windows 11, a Get command inside an atomic command is not supported.
### Apps installed using WMI classes are not removed
@@ -234,17 +43,17 @@ Applications installed using WMI classes are not removed when the MDM account is
### Passing CDATA in SyncML does not work
-Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10. It worked in Windows Phone 8.
+Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11.
### SSL settings in IIS server for SCEP must be set to "Ignore"
-The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
+The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
-### MDM enrollment fails on the mobile device when traffic is going through proxy
+### MDM enrollment fails on the Windows device when traffic is going through proxy
-When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
+When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
### Server-initiated unenrollment failure
@@ -254,41 +63,13 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act
### Certificates causing issues with Wi-Fi and VPN
-Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
-### Version information for mobile devices
+### Version information for Windows 11
-The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**.
+The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**.
-### Upgrading Windows Phone 8.1 devices with app allow-listing using ApplicationRestriction policy has issues
-
-- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
-
- Here's additional guidance for the upgrade process:
-
- - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
- - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher rule if you are using it.
- - In the SyncML, you must use lowercase product ID.
- - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-
-
-- Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />.
-
- To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list.
-
-- Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list.
-
- No workaround is available at this time. An OS update to fix this issue is coming soon.
-
-### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218
-
-Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework ID to your list of allowed apps.
-
-```xml
-
-```
-
-### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile
+### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
@@ -304,25 +85,25 @@ EAP XML must be updated with relevant information for your environment This can
- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
-For information about EAP Settings, see
+For information about EAP Settings, see .
-For information about generating an EAP XML, see [EAP configuration](eap-configuration.md)
+For information about generating an EAP XML, see [EAP configuration](eap-configuration.md).
-For more information about extended key usage, see
+For more information about extended key usage, see .
-For information about adding extended key usage (EKU) to a certificate, see
+For information about adding extended key usage (EKU) to a certificate, see .
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- - Client Authentication
- - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
- - Any Purpose
+ - Client Authentication.
+ - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
+ - Any Purpose.
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- - All Purpose
+ - All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
-- The user or the computer certificate on the client chains to a trusted root CA
+- The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
@@ -436,40 +217,42 @@ The following XML sample explains the properties for the EAP TLS XML including c
Alternatively you can use the following procedure to create an EAP Configuration XML.
-1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
+1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
+
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
- 
+ :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop down menu.
+
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
+
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
+
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
+
7. Close the rasphone dialog box.
-8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
+
+8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
-### Remote PIN reset not supported in Azure Active Directory joined mobile devices
-
-In Windows 10 Mobile, remote PIN reset in Azure AD joined devices are not supported. Devices are wiped when you issue a remote PIN reset command using the RemoteLock CSP.
-
### MDM client will immediately check-in with the MDM server after client renews WNS channel URI
-Starting in Windows 10, after the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
+After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
-### User provisioning failure in Azure Active Directory joined Windows 10 PC
+### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices
-In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
### Requirements to note for VPN certificates also used for Kerberos Authentication
@@ -479,30 +262,89 @@ If you want to use the certificate used for VPN authentication also for Kerberos
The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.
+
## Frequently Asked Questions
-### **Can there be more than one MDM server to enroll and manage devices in Windows 10?**
+### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?
No. Only one MDM is allowed.
-### **How do I set the maximum number of Azure Active Directory joined devices per user?**
+### How do I set the maximum number of Azure Active Directory joined devices per user?
1. Login to the portal as tenant admin: https://manage.windowsazure.com.
2. Click Active Directory on the left pane.
3. Choose your tenant.
4. Click **Configure**.
5. Set quota to unlimited.
- 
+ :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
-### **What is dmwappushsvc?**
+### What is dmwappushsvc?
Entry | Description
--------------- | --------------------
-What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.|
+
+
+## What’s new in MDM for Windows 10, version 20H2
+
+|New or updated article|Description|
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
- Properties/SleepMode |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard |
+
+## What’s new in MDM for Windows 10, version 2004
+
+| New or updated article | Description |
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
- [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
- [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
- [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
- [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
- [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004:
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004:
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
+| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
- Ext/Microsoft/DNSComputerName |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
- IsStub |
+| [SUPL CSP](supl-csp.md) | Added the following new node:
- FullVersion |
+
+## What’s new in MDM for Windows 10, version 1909
+
+| New or updated article | Description |
+|-----|-----|
+| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
- ConfigureRecoveryPasswordRotation
- RotateRecoveryPasswords
- RotateRecoveryPasswordsStatus
- RotateRecoveryPasswordsRequestID|
+
+## What’s new in MDM for Windows 10, version 1903
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
+| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
+| [Defender CSP](defender-csp.md) | Added the following new nodes:
- Health/TamperProtectionEnabled
- Health/IsVirtualMachine
- Configuration
- Configuration/TamperProtection
- Configuration/EnableFileHashComputation |
+| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
Added the new 1.4 version of the DDF.
Added the following new nodes:
- Policy
- Policy/Channels
- Policy/Channels/ChannelName
- Policy/Channels/ChannelName/MaximumFileSize
- Policy/Channels/ChannelName/SDDL
- Policy/Channels/ChannelName/ActionWhenFull
- Policy/Channels/ChannelName/Enabled
- DiagnosticArchive
- DiagnosticArchive/ArchiveDefinition
- DiagnosticArchive/ArchiveResults |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- SecurityKey
- SecurityKey/UseSecurityKeyForSignin |
+
+
+## What’s new in MDM for Windows 10, version 1809
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
- ApplicationManagement/LaunchAppAfterLogOn
- ApplicationManagement/ScheduleForceRestartForUpdateFailures
- Authentication/EnableFastFirstSignIn (Preview mode only)
- Authentication/EnableWebSignIn (Preview mode only)
- Authentication/PreferredAadTenantDomainName
- Browser/AllowFullScreenMode
- Browser/AllowPrelaunch
- Browser/AllowPrinting
- Browser/AllowSavingHistory
- Browser/AllowSideloadingOfExtensions
- Browser/AllowTabPreloading
- Browser/AllowWebContentOnNewTabPage
- Browser/ConfigureFavoritesBar
- Browser/ConfigureHomeButton
- Browser/ConfigureKioskMode
- Browser/ConfigureKioskResetAfterIdleTimeout
- Browser/ConfigureOpenMicrosoftEdgeWith
- Browser/ConfigureTelemetryForMicrosoft365Analytics
- Browser/PreventCertErrorOverrides
- Browser/SetHomeButtonURL
- Browser/SetNewTabPageURL
- Browser/UnlockHomeButton
- Defender/CheckForSignaturesBeforeRunningScan
- Defender/DisableCatchupFullScan
- Defender/DisableCatchupQuickScan
- Defender/EnableLowCPUPriority
- Defender/SignatureUpdateFallbackOrder
- Defender/SignatureUpdateFileSharesSources
- DeviceGuard/ConfigureSystemGuardLaunch
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- DeviceInstallation/PreventDeviceMetadataFromNetwork
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
- DmaGuard/DeviceEnumerationPolicy
- Experience/AllowClipboardHistory
- Experience/DoNotSyncBrowserSettings
- Experience/PreventUsersFromTurningOnBrowserSyncing
- Kerberos/UPNNameHints
- Privacy/AllowCrossDeviceClipboard
- Privacy/DisablePrivacyExperience
- Privacy/UploadUserActivities
- Security/RecoveryEnvironmentAuthentication
- System/AllowDeviceNameInDiagnosticData
- System/ConfigureMicrosoft365UploadEndpoint
- System/DisableDeviceDelete
- System/DisableDiagnosticDataViewer
- Storage/RemovableDiskDenyWriteAccess
- TaskManager/AllowEndTask
- Update/DisableWUfBSafeguards
- Update/EngagedRestartDeadlineForFeatureUpdates
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates
- Update/EngagedRestartTransitionScheduleForFeatureUpdates
- Update/SetDisablePauseUXAccess
- Update/SetDisableUXWUAccess
- WindowsDefenderSecurityCenter/DisableClearTpmButton
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
- WindowsLogon/DontDisplayNetworkSelectionUI |
+| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
+| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
+| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
+| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
+| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
+| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
+| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
+| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
+
+
## Change history for MDM documentation
-To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
\ No newline at end of file
+To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 84ff8f5e34..028da43967 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
### User configuration diagram
-The following diagram shows the PassportForWork configuration service provider in tree format.
+The following shows the PassportForWork configuration service provider in tree format.
-
+```console
+./User/Vendor/MSFT
+PassportForWork
+-------TenantId
+----------Policies
+-------------UsePassportForWork
+-------------RequireSecurityDevice
+-------------EnablePinRecovery
+-------------PINComplexity
+----------------MinimumPINLength
+----------------MaximumPINLength
+----------------UppercaseLetters
+----------------LowercaseLetters
+----------------SpecialCharecters
+----------------Digits
+----------------History
+----------------Expiration
+```
### Device configuration diagram
-The following diagram shows the PassportForWork configuration service provider in tree format.
+The following shows the PassportForWork configuration service provider in tree format.
-
+```console
+./Device/Vendor/MSFT
+PassportForWork
+-------TenantId
+----------Policies
+-------------UsePassportForWork
+-------------RequireSecurityDevice
+-------------ExcludeSecurityDevices
+----------------TPM12
+-------------EnablePinRecovery
+-------------UserCertificateForOnPremAuth
+-------------PINComplexity
+----------------MinimumPINLength
+----------------MaximumPINLength
+----------------UppercaseLetters
+----------------LowercaseLetters
+----------------SpecialCharacters
+----------------Digits
+----------------History
+----------------Expiration
+-------------Remote
+----------------UseRemotePassport
+-------------UseHelloCertificatesAsSmartCardCertificates
+-------UseBiometrics
+-------Biometrics
+----------UseBiometrics
+----------FacialFeatureUse
+-------DeviceUnlock
+----------GroupA
+----------GroupB
+----------Plugins
+-------DynamicLock
+----------DynamicLock
+----------Plugins
+-------SecurityKey
+----------UseSecurityKeyForSignin
+```
**PassportForWork**
Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 18c2823552..acf05925b9 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
-The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-
+```console
+./Vendor/MSFT
+Policy
+-------Config
+----------AreaName
+-------------PolicyName
+-------Result
+----------AreaName
+-------------PolicyName
+-------ConfigOperations
+----------ADMXInstall
+-------------AppName
+----------------Policy
+------------------UniqueID
+----------------Preference
+------------------UniqueID
+```
**./Vendor/MSFT/Policy**
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index d86682733e..644cc93fd2 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1551,7 +1551,8 @@ ADMX Info:
| Home |
- |
+ No |
+ No |
| Pro |
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 83bbd6d38f..b30980d636 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -517,7 +517,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
> [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@@ -596,7 +596,7 @@ Value type is integer. Supported values:
> [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 908deebcb4..69c7b52c83 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -927,18 +927,18 @@ The following list shows the supported values:
-Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons.
+Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
showonly:about;bluetooth
-If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
+- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
@@ -964,7 +964,7 @@ ADMX Info:
-To validate on Desktop, do the following:
+To validate on Desktop, use the following steps:
1. Open System Settings and verify that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index e2d40a822a..1b7b94e690 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+```console
+PXLOGICAL
+----DOMAIN
+----NAME
+----PORT
+-------PORTNBR
+-------SERVICE
+----PUSHENABLED
+----PROXY-ID
+----TRUST
+----PXPHYSICAL
+-------DOMAIN
+-------PHYSICAL-PROXY-ID
+-------PORT
+---------PORTNBR
+---------SERVICE
+-------PUSHENABLED
+-------PXADDR
+-------PXADDRTYPE
+-------TO-NAPID
+```
-The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
+
+```console
+PXLOGICAL
+--PROXY-ID
+----DOMAIN
+----NAME
+----PORT
+-------PORTNBR
+-------SERVICE
+----PUSHENABLED
+----TRUST
+----PXPHYSICAL
+-------PHYSICAL-PROXY-ID
+----------DOMAIN
+----------PORT
+-------------PORTNBR
+-------------SERVICE
+----------PUSHENABLED
+----------PXADDR
+----------PXADDRTYPE
+----------TO-NAPID
+```
+
**PXPHYSICAL**
Defines a group of logical proxy settings.
@@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o
**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
-A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy.
+A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
**NAME**
Specifies the name of the logical proxy.
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 4ffdbad557..fbc7a1ec31 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-
+```console
+./Vendor/MSFT
+SecurityPolicy
+----PolicyID
+```
***PolicyID***
Defines the security policy identifier as a decimal value.
@@ -48,7 +52,7 @@ The following security policies are supported.
4104
-Hex:1008 |
+Hex: 1008
TPS Policy |
This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.
Default value: 1
@@ -58,7 +62,7 @@ The following security policies are supported.
|
4105
-Hex:1009 |
+Hex: 1009
Message Authentication Retry Policy |
This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.
Default value: 3
@@ -66,7 +70,7 @@ The following security policies are supported.
|
4108
-Hex:100c |
+Hex: 100c
Service Loading Policy |
This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.
Default value: 256 (SECROLE_KNOWN_PPG)
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 9472789042..f82377ff80 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -48,6 +48,8 @@ items:
href: device-update-management.md
- name: Bulk enrollment
href: bulk-enrollment-using-windows-provisioning-tool.md
+ - name: Secured-Core PC Configuration Lock
+ href: config-lock.md
- name: Management tool for the Microsoft Store for Business
href: management-tool-for-windows-store-for-business.md
items:
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 42a6882673..80121f22ea 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP
Important considerations:
-- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN.
+- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN.
- VPN configuration commands must be wrapped with an Atomic command as shown in the example below.
@@ -31,9 +31,61 @@ Important considerations:
- For the VPN CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the VPN configuration service provider in tree format.
+The following shows the VPN configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+VPN
+-----ProfileName
+---------Server
+---------TunnelType
+---------ThirdParty
+-------------Name
+-------------AppID
+-------------CustomStoreURL
+-------------CustomConfiguration
+---------RoleGroup
+---------Authentication
+-------------Method
+-------------Certificate
+---------------Issuer
+---------------EKU
+---------------CacheLifeTimeProtectedCert
+-------------MultiAuth
+---------------StartURL
+---------------EndURL
+-------------EAP
+---------Proxy
+-------------Automatic
+-------------Manual
+---------------Server
+---------------Port
+-------------BypassProxyforLocal
+---------SecuredResources
+-------------AppPublisherNameList
+---------------AppPublisherName
+-------------AppAllowedList
+---------------AppAllowedList
+-------------NetworkAllowedList
+---------------NetworkAllowedList
+-------------NameSapceAllowedList
+---------------NameSapceAllowedList
+-------------ExcudedAppList
+---------------ExcudedAppList
+-------------ExcludedNetworkList
+---------------ExcludedNetworkList
+-------------ExcludedNameSpaceList
+---------------ExcludedNameSpaceList
+-------------DNSSuffixSearchList
+---------------DNSSuffixSearchList
+---------Policies
+-------------RememberCredentials
+-------------SplitTunnel
+-------------BypassforLocal
+-------------TrustedNetworkDetection
+-------------ConnectionType
+---------DNSSuffix
+```
***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
@@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
**TunnelType**
-Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
+Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
**ThirdParty**
-Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
+Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
@@ -73,17 +125,17 @@ Valid values:
- Checkpoint Mobile VPN
**ThirdParty/AppID**
-Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
+Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
**ThirdParty/CustomStoreURL**
-Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
+Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
**ThirdParty/CustomConfiguration**
-Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
+Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
@@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col
Supported operations are Get and Add.
**Authentication/Method**
-Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
+Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie
Supported operations are Get and Add.
**Authentication/Certificate/Issuer**
-Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
+Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
**Authentication/Certificate/EKU**
-Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
+Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@@ -175,16 +227,16 @@ Default is False.
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
**SecuredResources/AppAllowedList/AppAllowedList**
-Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
+Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
**SecuredResources/NetworkAllowedList/NetworkAllowedList**
-Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
+Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@@ -202,7 +254,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
**SecuredResources/ExcluddedAppList/ExcludedAppList**
-Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
+Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e7321b1888..de649eb77b 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
-
+The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
-The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
-
+```console
+APPLICATION
+----APPID
+----NAME
+----TO-PROXY
+----TO-NAPID
+----ADDR
+----MS
+```
**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 7aaa801796..7745749716 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
-The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
+The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
+```console
+APPLICATION
+---APPADDR
+------ADDR
+------ADDRTYPE
+------PORT
+---------PORTNBR
+---APPAUTH
+------AAUTHDATA
+------AAUTHLEVEL
+------AAUTHNAME
+------AAUTHSECRET
+------AAUTHTYPE
+---AppID
+---BACKCOMPATRETRYDISABLED
+---CONNRETRYFREQ
+---DEFAULTENCODING
+---INIT
+---INITIALBACKOFTIME
+---MAXBACKOFTIME
+---NAME
+---PROTOVER
+---PROVIDER-ID
+---ROLE
+---TO-NAPID
+---USEHWDEVID
+---SSLCLIENTCERTSEARCHCRITERIA
+```
> **Note** All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index e867ae66ef..e6864ea72c 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -29,9 +29,22 @@ Programming considerations:
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
-The following image shows the WiFi configuration service provider in tree format.
+The following shows the WiFi configuration service provider in tree format.
+
+```console
+./Device/Vendor/MSFT
+or
+./User/Vendor/MSFT
+WiFi
+---Profile
+------SSID
+---------WlanXML
+---------Proxy
+---------ProxyPacUrl
+---------ProxyWPAD
+---------WiFiCost
+```
-
The following list shows the characteristics and parameters.
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 4f22b0b48c..bba543313e 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -17,9 +17,25 @@ ms.date: 11/01/2017
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
-The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
+The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
-
+```console
+./Device/Vendor/MSFT
+WindowsAdvancedThreatProtection
+----Onboarding
+----HealthState
+--------LastConnected
+--------SenseIsRunning
+--------OnboardingState
+--------OrgId
+----Configuration
+--------SampleSharing
+--------TelemetryReportingFrequency
+----Offboarding
+----DeviceTagging
+--------Group
+--------Criticality
+```
The following list describes the characteristics and parameters.
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 2fe71b5e76..7dfbe89239 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|
| MDM_BrowserSecurityZones |
- |
+Yes |
| MDM_BrowserSettings |
- |
+Yes |
| MDM_Certificate |
- |
+Yes |
| MDM_CertificateEnrollment |
- |
+Yes |
| MDM_Client |
@@ -106,7 +106,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_ConfigSetting |
- |
+Yes |
| MDM_DeviceRegistrationInfo |
@@ -114,11 +114,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_EASPolicy |
- |
+Yes |
| MDM_MgMtAuthority |
- |
+Yes |
| MDM_MsiApplication |
@@ -138,7 +138,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_Restrictions |
- |
+Yes |
| MDM_RestrictionsUser |
@@ -146,7 +146,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_SecurityStatus |
- |
+Yes |
| MDM_SideLoader |
@@ -158,11 +158,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_Updates |
- |
+Yes |
| MDM_VpnApplicationTrigger |
- |
+Yes |
| MDM_VpnConnection |
@@ -174,27 +174,27 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| MDM_WirelessProfile |
- |
+Yes |
| MDM_WirelesssProfileXML |
- |
+Yes |
| MDM_WNSChannel |
- |
+Yes |
| MDM_WNSConfiguration |
- |
+Yes |
| MSFT_NetFirewallProfile |
- |
+Yes |
| MSFT_VpnConnection |
- |
+Yes |
| SoftwareLicensingProduct |
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
-| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
-[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | 
-[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | 
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
-[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | 
-[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | 
-[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | 
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
-[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |
-[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | 
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
-[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | 
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
-[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | 
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
-[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | 
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
-[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | 
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
-[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | 
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
-[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | 
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
-[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | 
-[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | 
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
-[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | 
-[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | 
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
-[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | 
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
-[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | 
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
-[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | 
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
-[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | 
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index ac0783dddb..0f58cd49f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -17,7 +17,7 @@ ms.author: greglin
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
-:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
| Software | Minimum version |
|---------|---------|
-|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
+|Client operating system | - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
@@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
-:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index a43fafd84b..0a26a17390 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -7,46 +7,78 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
->[!NOTE]
->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
+For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+- **Allow Cortana**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
+ - **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
+ - **Description**: Specifies if users can use Cortana.
-|**Group policy** |**MDM policy** |**Description** |
-|---------|---------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
-> [!IMPORTANT]
-> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
-> [!NOTE]
-> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
-> [!NOTE]
-> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
-Users will still be able to type queries to Cortana. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
-**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
**In Windows 10, version 2004 and later**
Cortana will work, but voice input will be disabled. |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
-**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
-**In Windows 10, version 1607 and later**
-Cortana still works if this setting is turned off (disabled).
-**In Windows 10, version 2004 and later**
-Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
-|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
-Disable this setting if you only want to allow users to sign in with their Azure AD account. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
-**In Windows 10, version 2004 and later**
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
-**In Windows 10 Pro edition**
This setting can’t be managed.
-**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).
-**In Windows 10, version 2004 and later**
This setting no longer affects Cortana.
|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
-> [!NOTE]
-> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
\ No newline at end of file
+ Cortana won’t work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
+
+- **AllowCortanaAboveLock**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
+ - **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
+ - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
+
+ This setting:
+
+ - Doesn't apply to Windows 10, versions 2004 and later
+ - Doesn't apply to Windows 11
+
+- **LetAppsActivateWithVoice**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
+ - **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
+ - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
+
+ This setting applies to:
+
+ - Windows 10 versions 2004 and later
+ - Windows 11
+
+ To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
+
+- **LetAppsAccessMicrophone**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
+ - **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
+ - **Description**: Disables Cortana’s access to the microphone. To use this setting, enter Cortana’s Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
+
+- **Allow users to enable online speech recognition services**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
+ - **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
+ - **Description**: Specifies whether users can use voice commands with Cortana in your organization.
+ - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
+ - **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
+
+- **AllowLocation**
+ - **Group policy**: None
+ - **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
+ - **Description**: Specifies whether to allow app access to the Location service.
+ - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
+ - **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
+
+- **AllowMicrosoftAccountConnection**
+ - **Group policy**: None
+ - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
+ - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+
+- **Allow search and Cortana to use location**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
+ - **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
+ - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
+
+- **Don't search the web or display web results**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
+ - **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
+ - **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
+ - **Windows 10 Pro edition**: This setting can’t be managed.
+ - **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.
diff --git a/windows/configuration/cortana-at-work/images/screenshot1.png b/windows/configuration/cortana-at-work/images/screenshot1.png
new file mode 100644
index 0000000000..ed62740e92
Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot1.png differ
diff --git a/windows/configuration/cortana-at-work/images/screenshot2.png b/windows/configuration/cortana-at-work/images/screenshot2.png
new file mode 100644
index 0000000000..fb7995600e
Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot2.png differ
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index ac5d6ad1fd..df13bd302b 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -13,14 +13,13 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
-- Windows 10
+- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
@@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
MDM and Group Policy |
The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.
Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). |
+MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Removable storage.
Assigned Access: launch a UWP app on sign-in and lock access to system |
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md
index 7ec5414862..0d118520fc 100644
--- a/windows/security/security-foundations.md
+++ b/windows/security/security-foundations.md
@@ -24,7 +24,7 @@ Use the links in the following table to learn more about the security foundation
| Concept | Description |
|:---|:---|
-| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
+| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.
Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index a85b739253..6846561482 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 09/07/2021
+ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -29,7 +29,7 @@ This event generates only on domain controllers.
If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
-This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index d8e91b8642..d91da6e81c 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/09/2021
+ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -47,4 +47,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
Windows 11 |
| Browser | Microsoft Edge |
-| Management system
(only for managed devices)| [Microsoft Intune](/intune/) **OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |
+| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md
index e48159d8fd..4eafe42218 100644
--- a/windows/whats-new/windows-11-whats-new.md
+++ b/windows/whats-new/windows-11-whats-new.md
@@ -1,6 +1,6 @@
---
title: Windows 11, what's new and overview for administrators
-description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, the new desktop, and deploying and servicing PCs.
+description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
ms.audience: itpro
@@ -136,7 +136,16 @@ For more information on the security features you can configure, manage, and enf
Users can manage some desktop features using **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Multiple desktops in Windows](https://support.microsoft.com/windows/multiple-desktops-in-windows-11-36f52e38-5b4a-557b-2ff9-e1a60c976434).
-## Use your same apps, improved
+## Use your same apps, and new apps, improved
+
+- Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can download and install **Android™️ apps** from the Microsoft Store. This feature is called the **Windows Subsystem for Android**, and allows users to use Android apps on their Windows devices, similar to other apps installed from the Microsoft Store.
+
+ Users open the Microsoft Store, install the **Amazon Appstore** app, and sign in with their Amazon account. When they sign in, they can search, download, and install Android apps.
+
+ For more information, see:
+
+ - [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
+ - [Windows Subsystem for Android developer information](/windows/android/wsa)
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.